Enterprises Failing To Protect Their Networks

Enterprises are facing a number of security risks by failing properly to protect their applications and networks, according to new research from HP.

The 2010 Top Cyber Security Risks Report was carried out by HP's TippingPoint digital forensic labs, and should help companies to assess their own vulnerabilities and shore up their defences.

"To mitigate network security risk, organisations need insight into the potential threats associated with using social media networking sites and web application downloads in a business environment," said Mike Dausin, manager for advanced security intelligence at TippingPoint.

"By understanding the increased risk these applications pose to the corporate network, organisations can implement remediation strategies to ensure that business processes, as well as data, remain secure."

The report is partly based on information provided by Qualys and the SANS Internet Storm Centre, and warns that the latest attacks are more sophisticated than ever.

The proliferation of web applications and their use by enterprise workers is aiding malware writers, as it provides an open playing field for attacks.

"Our current research indicates that web applications continue to pose one of the biggest risks to corporate networks," said the report, warning that hackers are exploiting a confidence in applications to spread their wares.

The sophisticated malware can hide within an enterprise for long periods of time, the report said, harvesting information without detection.

"Few victims realise they are under attack until it is too late. It is increasingly common to hear of attackers remaining inside a compromised organisation for months, gathering information with which they design and build even more sophisticated attacks," TippingPoint said.

"Once the desired information is obtained, the attackers launch exploits that are more devastating and more covert. Attack sophistication has increased across the board, from client-side attacks, such as malicious JavaScript, to server-side attacks."

Attacks are not as prevalent as they were in 2006, when the survey graphs show a huge peak, and only cross-site request forgery is not in decline since that period.

This sort of attack hides within an official web application such as a banking site, potentially resulting in monetary losses and exposing companies to fraud.

"This is a serious attack which is web site specific and is difficult to detect in a typical vulnerability scan. Cross-site request forgery is noteworthy since there are certainly real world attacks that use this technique," said the report.

The number of unpatched vulnerabilities in systems, meanwhile, has grown rapidly in the past five years, according to the report, which cited figures from TippingPoint's Zero Day Initiative (ZDI) that rewards security researchers for disclosing vulnerabilities responsibly.

"As recently as 2006 it was uncommon for ZDI to have verified the existence of more than 50 unpatched vulnerabilities in products," said the report.

"In 2010 ZDI is aware of, and has disclosed to affected vendors, hundreds of vulnerabilities in products that are not yet patched."